Cisco ASA Unsupported SFR Module

edledge Cisco logo

Scenario:
Make
: Cisco
Model
: ASA 5506-X, ASA 5512-X, Cisco ASA 5508-X, 5506W-X
Mode: CLI (Command Line Interface)
Description: This article is to discuss the problem of the unsupported SFR or FirePower module issue after upgrading Cisco ASA Firewalls to 9.10.x or a later version of Cisco IOS.

Problem

If you have upgraded or planning to upgrade your Cisco 5506-X series and/or Cisco 5512-X series ASA to 9.10.x or later version of IOS then you will face the issue when FirePOWER services will stop working. SFR module status will be “unsupported“.

edledge-asa# sh module

Mod  Card Type                                    Model           Serial No.
---- -------------------------------------------- ------------------ --
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508         JAD12345678

sfr Unsupported Unsupported       

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ -------
1 f4db.3738.f4db to f4db.3738.f4db 3.2          1.1.13       9.13(1)10

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- -------------------

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
0 Up Sys             Not Applicable

In the above output of the sh module command, we can see that the SFR status is unsupported. Sometimes the SFR module causes unwanted failover of ASA. If you are facing the same issues follow the article Unwanted ASA Failover Due To SFR Error.

Solution

This is happening because of the IOS version of the Cisco 5506-X series and 5512-X series ASA. The reason is mentioned in the release note of IOS version 9.10.(x).

No support in 9.10(1) and later for the ASA FirePOWER module on the ASA 5506-X series and the ASA 5512-X—The ASA 5506-X series and 5512-X no longer support the ASA FirePOWER module in 9.10(1) and later due to memory constraints. You must remain on 9.9(x) or lower to continue using this module. Other module types are still supported. If you upgrade to 9.10(1) or later, the ASA configuration to send traffic to the FirePOWER module will be erased; make sure to back up your configuration before you upgrade. The FirePOWER image and its configuration remains intact on the SSD. If you want to downgrade, you can copy the ASA configuration from the backup to restore functionality.

To read the full release note of the IOS version 9.10.(x), click here. The issue will occur with IOS version 9.10.x and later.

To get the SFR working again downgrade the ASA to a version lower than 9.10.x. Downgrade your ASA to the 9.9.x version and then the FirePOWER/SFR module will start working again.

To downgrade the IOS of your Cisco ASA follow the steps mentioned in Cisco ASA IOS Upgrade/Downgrade GUI or if you are more comfortable with the command line method then refer to the article Cisco ASA IOS Upgrade/Downgrade CLI. After downgrading the IOS of the ASA lower to 9.10.x the SFR module will start working again.

SourceCisco, Knowledge Base, Internet

EA00045

Leave a Reply

Your email address will not be published.